From d9bdf4482794c629fb017a10450edfb2bb0c7ad9 Mon Sep 17 00:00:00 2001 From: Mikey Henderson Date: Wed, 8 Nov 2023 08:36:18 -0800 Subject: [PATCH] Release 1.1 (#12) * Meta Data Support Additions * fixed error handling from Hydrant API changes * Fixed Enrollment External Validation * Recompile against latest Gateway Framework * Compiled against latest version and fixed error when no cert is ever available for download after 30 seconds --- CHANGELOG.md | 2 + .../src/HydrantIdProxy/HydrantIdProxy.cs | 609 ++++++++-------- .../src/HydrantIdProxy/HydrantIdProxy.csproj | 7 +- .../src/HydrantIdProxy/RequestManager.cs | 686 +++++++++--------- HydrantIdProxy/src/HydrantIdProxy/app.config | 36 +- .../src/HydrantIdProxy/packages.config | 31 +- README.md | 30 +- readme_source.md | 27 + 8 files changed, 738 insertions(+), 690 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f3a28e..2192d88 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,5 @@ +v1.1.2 +- Recompiled agains the latest gateway and Bouncy Castle Frameworks v1.1.1 - Fixed error handing to match Hydrant new API Structure diff --git a/HydrantIdProxy/src/HydrantIdProxy/HydrantIdProxy.cs b/HydrantIdProxy/src/HydrantIdProxy/HydrantIdProxy.cs index e92f2f5..5904370 100644 --- a/HydrantIdProxy/src/HydrantIdProxy/HydrantIdProxy.cs +++ b/HydrantIdProxy/src/HydrantIdProxy/HydrantIdProxy.cs @@ -1,213 +1,216 @@ -// Copyright 2023 Keyfactor -// Licensed under the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. You may obtain a -// copy of the License at http://www.apache.org/licenses/LICENSE-2.0. Unless -// required by applicable law or agreed to in writing, software distributed -// under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES -// OR CONDITIONS OF ANY KIND, either express or implied. See the License for -// thespecific language governing permissions and limitations under the -// License. -using System; -using System.Collections.Concurrent; -using System.Collections.Generic; +// Copyright 2023 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. You may obtain a +// copy of the License at http://www.apache.org/licenses/LICENSE-2.0. Unless +// required by applicable law or agreed to in writing, software distributed +// under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES +// OR CONDITIONS OF ANY KIND, either express or implied. See the License for +// thespecific language governing permissions and limitations under the +// License. +using System; +using System.Collections.Concurrent; +using System.Collections.Generic; using System.Diagnostics; -using System.Linq; -using System.Security.Cryptography.X509Certificates; -using System.Text; -using System.Threading; -using System.Threading.Tasks; -using CAProxy.AnyGateway; -using CAProxy.AnyGateway.Interfaces; -using CAProxy.AnyGateway.Models; -using CAProxy.Common; -using CSS.Common; -using CSS.Common.Logging; -using CSS.PKI; -using Keyfactor.HydrantId.Client; -using Keyfactor.HydrantId.Client.Models; -using Keyfactor.HydrantId.Interfaces; -using Newtonsoft.Json; - -namespace Keyfactor.HydrantId -{ - public class HydrantIdProxy : BaseCAConnector - { - private readonly RequestManager _requestManager; - - public HydrantIdProxy() - { - _requestManager = new RequestManager(); - } - - public HydrantIdClient HydrantIdClient { get; set; } - public bool EnableTemplateSync { get; set; } - - public override int Revoke(string caRequestId, string hexSerialNumber, uint revocationReason) - { - try - { - Logger.Trace("Staring Revoke Method"); - - var hydrantId = caRequestId.Substring(0, 36); - var revokeReason = _requestManager.GetMapRevokeReasons(revocationReason); - - Logger.Trace($"Revoke Reason {revokeReason}"); - - var revokeResponse = Task.Run(async () => - await HydrantIdClient.GetSubmitRevokeCertificateAsync(hydrantId, revokeReason)) - .Result; - - Logger.Trace($"Revoke Response JSON: {JsonConvert.SerializeObject(revokeResponse)}"); - Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); - return 1; - } - catch (Exception e) - { - Logger.Error($"An Error has occurred during the revoke process {e.Message}"); - Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); - return -1; - } - } - - [Obsolete] - public override void Synchronize(ICertificateDataReader certificateDataReader, - BlockingCollection blockingBuffer, - CertificateAuthoritySyncInfo certificateAuthoritySyncInfo, CancellationToken cancelToken, - string logicalName) - { - } - - public override void Synchronize(ICertificateDataReader certificateDataReader, - BlockingCollection blockingBuffer, - CertificateAuthoritySyncInfo certificateAuthoritySyncInfo, - CancellationToken cancelToken) - { - Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - try - { - var certs = new BlockingCollection(100); - _ = HydrantIdClient.GetSubmitCertificateListRequestAsync(certs, cancelToken); - - foreach (var currentResponseItem in certs.GetConsumingEnumerable(cancelToken)) - { - if (cancelToken.IsCancellationRequested) - { - Logger.Error("Synchronize was canceled."); - break; - } - - try - { - Logger.Trace($"Took Certificate ID {currentResponseItem?.Id} from Queue"); - if (currentResponseItem != null) - { - var certStatus = _requestManager.GetMapReturnStatus(currentResponseItem.RevocationStatus); - Logger.Trace($"Numeric Status {certStatus}"); - - if (certStatus == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.ISSUED) || - certStatus == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.REVOKED)) - { - var productId = currentResponseItem.Policy.Name; - Logger.Trace($"Product Id {productId}"); - - var singleCert = HydrantIdClient.GetSubmitGetCertificateAsync(currentResponseItem.Id); - - var fileContent = singleCert.Result.Pem ?? string.Empty; - - Logger.Trace($"Certificate Content: {fileContent}"); - - if (fileContent.Length > 0) - { - var certData = fileContent.Replace("\n", string.Empty); - var splitCerts = - certData.Split( - new[] {"-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----"}, - StringSplitOptions.RemoveEmptyEntries); - foreach (var cert in splitCerts) - try - { +using System.Linq; +using System.Security.Cryptography.X509Certificates; +using System.Text; +using System.Threading; +using System.Threading.Tasks; +using CAProxy.AnyGateway; +using CAProxy.AnyGateway.Interfaces; +using CAProxy.AnyGateway.Models; +using CAProxy.Common; +using CSS.Common; +using CSS.Common.Logging; +using CSS.PKI; +using Keyfactor.HydrantId.Client; +using Keyfactor.HydrantId.Client.Models; +using Keyfactor.HydrantId.Interfaces; +using Newtonsoft.Json; + +namespace Keyfactor.HydrantId +{ + public class HydrantIdProxy : BaseCAConnector + { + private readonly RequestManager _requestManager; + + public HydrantIdProxy() + { + _requestManager = new RequestManager(); + } + + public HydrantIdClient HydrantIdClient { get; set; } + public bool EnableTemplateSync { get; set; } + + public override int Revoke(string caRequestId, string hexSerialNumber, uint revocationReason) + { + try + { + Logger.Trace("Staring Revoke Method"); + + var hydrantId = caRequestId.Substring(0, 36); + var revokeReason = _requestManager.GetMapRevokeReasons(revocationReason); + + Logger.Trace($"Revoke Reason {revokeReason}"); + + var revokeResponse = Task.Run(async () => + await HydrantIdClient.GetSubmitRevokeCertificateAsync(hydrantId, revokeReason)) + .Result; + + Logger.Trace($"Revoke Response JSON: {JsonConvert.SerializeObject(revokeResponse)}"); + Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); + return 1; + } + catch (Exception e) + { + Logger.Error($"An Error has occurred during the revoke process {e.Message}"); + Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); + return -1; + } + } + + [Obsolete] + public override void Synchronize(ICertificateDataReader certificateDataReader, + BlockingCollection blockingBuffer, + CertificateAuthoritySyncInfo certificateAuthoritySyncInfo, CancellationToken cancelToken, + string logicalName) + { + } + + public override void Synchronize(ICertificateDataReader certificateDataReader, + BlockingCollection blockingBuffer, + CertificateAuthoritySyncInfo certificateAuthoritySyncInfo, + CancellationToken cancelToken) + { + Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); + try + { + var certs = new BlockingCollection(100); + _ = HydrantIdClient.GetSubmitCertificateListRequestAsync(certs, cancelToken); + + foreach (var currentResponseItem in certs.GetConsumingEnumerable(cancelToken)) + { + if (cancelToken.IsCancellationRequested) + { + Logger.Error("Synchronize was canceled."); + break; + } + + try + { + Logger.Trace($"Took Certificate ID {currentResponseItem?.Id} from Queue"); + if (currentResponseItem != null) + { + var certStatus = _requestManager.GetMapReturnStatus(currentResponseItem.RevocationStatus); + Logger.Trace($"Numeric Status {certStatus}"); + + if (certStatus == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.ISSUED) || + certStatus == Convert.ToInt32(PKIConstants.Microsoft.RequestDisposition.REVOKED)) + { + var productId = currentResponseItem.Policy.Name; + Logger.Trace($"Product Id {productId}"); + + var singleCert = HydrantIdClient.GetSubmitGetCertificateAsync(currentResponseItem.Id); + + var fileContent = singleCert.Result.Pem ?? string.Empty; + + Logger.Trace($"Certificate Content: {fileContent}"); + + if (fileContent.Length > 0) + { + var certData = fileContent.Replace("\n", string.Empty); + var splitCerts = + certData.Split( + new[] {"-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----"}, + StringSplitOptions.RemoveEmptyEntries); + foreach (var cert in splitCerts) + try + { var currentCert = new X509Certificate2(Encoding.ASCII.GetBytes(cert)); - var caReqId = $"{currentResponseItem.Id}-{currentCert.SerialNumber}"; - Logger.Trace($"Split Cert Value: {cert}"); - blockingBuffer.Add(new CAConnectorCertificate - { - CARequestID =$"{currentResponseItem.Id}", - Certificate = cert, - SubmissionDate = Convert.ToDateTime(singleCert.Result.CreatedAt), - Status = certStatus, - ProductID = productId - }, cancelToken); - } - catch (Exception e) - { - Logger.Error( - $"Exception occurred Adding Cert to buffer: {e.Message} HydrantId: {currentResponseItem.Id} CommonName: {currentResponseItem.CommonName} Serial: {currentResponseItem.Serial}"); - } - } - } - } - } - catch (OperationCanceledException) - { - Logger.Error("Synchronize was canceled."); - break; - } - } - } - catch (AggregateException aggEx) - { - Logger.Error("Csc Global Synchronize Task failed!"); - Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); - // ReSharper disable once PossibleIntendedRethrow - throw aggEx; - } - - Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); - } - - [Obsolete] - public override EnrollmentResult Enroll(string csr, string subject, Dictionary san, - EnrollmentProductInfo productInfo, - PKIConstants.X509.RequestFormat requestFormat, RequestUtilities.EnrollmentType enrollmentType) - { - return null; - } - - public override EnrollmentResult Enroll(ICertificateDataReader certificateDataReader, string csr, - string subject, Dictionary san, EnrollmentProductInfo productInfo, - PKIConstants.X509.RequestFormat requestFormat, RequestUtilities.EnrollmentType enrollmentType) - { - Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - CertRequestResult enrollmentResponse = null; - - Certificate csrTrackingResponse=null; - - switch (enrollmentType) - { - case RequestUtilities.EnrollmentType.New: - case RequestUtilities.EnrollmentType.Reissue: - Logger.Trace("Entering New Enrollment"); - - var policyListResult = - Task.Run(async () => await HydrantIdClient.GetPolicyList()) - .Result; - - Logger.Trace($"Policy Result List: {JsonConvert.SerializeObject(policyListResult)}"); - var policyId = policyListResult.Single(p => p.Name.Equals(productInfo.ProductID)); - - Logger.Trace($"PolicyId: {JsonConvert.SerializeObject(policyId)}"); - - var enrollmentRequest = - _requestManager.GetEnrollmentRequest(policyId.Id, productInfo, csr, san); - - Logger.Trace($"Enrollment Request JSON: {JsonConvert.SerializeObject(enrollmentRequest)}"); - enrollmentResponse = - Task.Run(async () => await HydrantIdClient.GetSubmitEnrollmentAsync(enrollmentRequest)) - .Result; + var caReqId = $"{currentResponseItem.Id}-{currentCert.SerialNumber}"; + Logger.Trace($"Split Cert Value: {cert}"); + blockingBuffer.Add(new CAConnectorCertificate + { + CARequestID =$"{currentResponseItem.Id}", + Certificate = cert, + SubmissionDate = Convert.ToDateTime(singleCert.Result.CreatedAt), + Status = certStatus, + ProductID = productId + }, cancelToken); + } + catch (Exception e) + { + Logger.Error( + $"Exception occurred Adding Cert to buffer: {e.Message} HydrantId: {currentResponseItem.Id} CommonName: {currentResponseItem.CommonName} Serial: {currentResponseItem.Serial}"); + } + } + } + } + } + catch (OperationCanceledException) + { + Logger.Error("Synchronize was canceled."); + break; + } + } + } + catch (AggregateException aggEx) + { + Logger.Error("Csc Global Synchronize Task failed!"); + Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); + // ReSharper disable once PossibleIntendedRethrow + throw aggEx; + } + + Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); + } + + [Obsolete] + public override EnrollmentResult Enroll(string csr, string subject, Dictionary san, + EnrollmentProductInfo productInfo, + PKIConstants.X509.RequestFormat requestFormat, RequestUtilities.EnrollmentType enrollmentType) + { + return null; + } + + public override EnrollmentResult Enroll(ICertificateDataReader certificateDataReader, string csr, + string subject, Dictionary san, EnrollmentProductInfo productInfo, + PKIConstants.X509.RequestFormat requestFormat, RequestUtilities.EnrollmentType enrollmentType) + { + Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); + CertRequestResult enrollmentResponse = null; + int timerTries = 0; + Certificate csrTrackingResponse=null; + + Certificate csrTrackingResponse=null; + + switch (enrollmentType) + { + case RequestUtilities.EnrollmentType.New: + case RequestUtilities.EnrollmentType.Reissue: + Logger.Trace("Entering New Enrollment"); + + var policyListResult = + Task.Run(async () => await HydrantIdClient.GetPolicyList()) + .Result; + + Logger.Trace($"Policy Result List: {JsonConvert.SerializeObject(policyListResult)}"); + var policyId = policyListResult.Single(p => p.Name.Equals(productInfo.ProductID)); + + Logger.Trace($"PolicyId: {JsonConvert.SerializeObject(policyId)}"); + + var enrollmentRequest = + _requestManager.GetEnrollmentRequest(policyId.Id, productInfo, csr, san); + + Logger.Trace($"Enrollment Request JSON: {JsonConvert.SerializeObject(enrollmentRequest)}"); + enrollmentResponse = + Task.Run(async () => await HydrantIdClient.GetSubmitEnrollmentAsync(enrollmentRequest)) + .Result; Logger.Trace($"Enrollment Response JSON: {JsonConvert.SerializeObject(enrollmentResponse)}"); if (enrollmentResponse?.ErrorReturn?.Status != "Failure") { + timerTries = +1; csrTrackingResponse = GetCertificateOnTimer(enrollmentResponse?.RequestStatus?.Id); } else @@ -220,52 +223,48 @@ public override EnrollmentResult Enroll(ICertificateDataReader certificateDataRe } - Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); - - break; - - case RequestUtilities.EnrollmentType.Renew: - Logger.Trace("Entering Renew..."); - - var renewalRequest = _requestManager.GetRenewalRequest(csr, false); - Logger.Trace($"Renewal Request JSON: {JsonConvert.SerializeObject(renewalRequest)}"); - var sn = productInfo.ProductParameters["PriorCertSN"]; - Logger.Trace($"Prior Cert Serial Number= {sn}"); - var priorCert = certificateDataReader.GetCertificateRecord( - DataConversion.HexToBytes(sn)); - - var uUId = priorCert.CARequestID; //uUId is a GUID - - Logger.Trace($"Hydrant Certificate Id Plus Serial #= {uUId}"); - - Logger.Trace($"Reissue CA RequestId: {uUId}"); - var certificateId = uUId.Substring(0, 36); - enrollmentResponse = - Task.Run(async () => - await HydrantIdClient.GetSubmitRenewalAsync(certificateId, renewalRequest)) - .Result; + Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); + + break; + + case RequestUtilities.EnrollmentType.Renew: + Logger.Trace("Entering Renew..."); + + var renewalRequest = _requestManager.GetRenewalRequest(csr, false); + Logger.Trace($"Renewal Request JSON: {JsonConvert.SerializeObject(renewalRequest)}"); + var sn = productInfo.ProductParameters["PriorCertSN"]; + Logger.Trace($"Prior Cert Serial Number= {sn}"); + var priorCert = certificateDataReader.GetCertificateRecord( + DataConversion.HexToBytes(sn)); + + var uUId = priorCert.CARequestID; //uUId is a GUID + + Logger.Trace($"Hydrant Certificate Id Plus Serial #= {uUId}"); + + Logger.Trace($"Reissue CA RequestId: {uUId}"); + var certificateId = uUId.Substring(0, 36); + enrollmentResponse = + Task.Run(async () => + await HydrantIdClient.GetSubmitRenewalAsync(certificateId, renewalRequest)) + .Result; Logger.Trace($"Renew Response JSON: {JsonConvert.SerializeObject(enrollmentResponse)}"); if (enrollmentResponse?.ErrorReturn?.Status != "Failure") { - csrTrackingResponse = GetCertificateOnTimer(enrollmentResponse?.RequestStatus?.Id); - } - else - { - return new EnrollmentResult - { - Status = 30, //failure - StatusMessage = $"Enrollment Failed with error {enrollmentResponse?.ErrorReturn?.Error}" - }; - } - break; + timerTries = +1; + if(csrTrackingResponse==null && timerTries>0) + { + return new EnrollmentResult + { + Status = 30, //failure + StatusMessage = $"Certificate may still waiting on Hydrant and is not ready for download" + }; } + var cert = GetSingleRecord(csrTrackingResponse.Id.ToString()); + return _requestManager.GetEnrollmentResult(csrTrackingResponse,cert); + } - var cert = GetSingleRecord(csrTrackingResponse.Id.ToString()); - return _requestManager.GetEnrollmentResult(csrTrackingResponse,cert); - } - private Certificate GetCertificateOnTimer(string Id) { //Get the csr tracking response from the tracking Id returned from Enrollment @@ -290,66 +289,66 @@ private Certificate GetCertificateOnTimer(string Id) } return csrTrackingResponse; - } - - public override CAConnectorCertificate GetSingleRecord(string caRequestId) - { - Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - Logger.Trace($"Keyfactor Ca Id: {caRequestId}"); - try - { - var certificateResponse = - Task.Run(async () => - await HydrantIdClient.GetSubmitGetCertificateAsync(caRequestId.Substring(0, 36))) - .Result; - - Logger.Trace($"Single Cert JSON: {JsonConvert.SerializeObject(certificateResponse)}"); - Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); - return new CAConnectorCertificate - { - CARequestID = caRequestId, - Certificate = certificateResponse.Pem, - ResolutionDate = Convert.ToDateTime(certificateResponse.NotAfter), - Status = _requestManager.GetMapReturnStatus(certificateResponse.RevocationStatus), - SubmissionDate = Convert.ToDateTime(certificateResponse.CreatedAt) - }; - } - catch (Exception) //Most likely cert is not available yet, just get it on the sync - { - return new CAConnectorCertificate - { - CARequestID = caRequestId, - Status = _requestManager.GetMapReturnStatus(0) //Unknown - }; - } - } - - public override void Initialize(ICAConnectorConfigProvider configProvider) - { - try - { - Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - HydrantIdClient = new HydrantIdClient(configProvider); - Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); - } - catch (Exception e) - { - Logger.Error($"Error Occured in HydrantIdProxy.Initialize: {e.Message}"); - throw; - } - } - - public override void Ping() - { - } - - public override void ValidateCAConnectionInfo(Dictionary connectionInfo) - { - } - - public override void ValidateProductInfo(EnrollmentProductInfo productInfo, - Dictionary connectionInfo) - { - } - } + } + + public override CAConnectorCertificate GetSingleRecord(string caRequestId) + { + Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); + Logger.Trace($"Keyfactor Ca Id: {caRequestId}"); + try + { + var certificateResponse = + Task.Run(async () => + await HydrantIdClient.GetSubmitGetCertificateAsync(caRequestId.Substring(0, 36))) + .Result; + + Logger.Trace($"Single Cert JSON: {JsonConvert.SerializeObject(certificateResponse)}"); + Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); + return new CAConnectorCertificate + { + CARequestID = caRequestId, + Certificate = certificateResponse.Pem, + ResolutionDate = Convert.ToDateTime(certificateResponse.NotAfter), + Status = _requestManager.GetMapReturnStatus(certificateResponse.RevocationStatus), + SubmissionDate = Convert.ToDateTime(certificateResponse.CreatedAt) + }; + } + catch (Exception) //Most likely cert is not available yet, just get it on the sync + { + return new CAConnectorCertificate + { + CARequestID = caRequestId, + Status = _requestManager.GetMapReturnStatus(0) //Unknown + }; + } + } + + public override void Initialize(ICAConnectorConfigProvider configProvider) + { + try + { + Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); + HydrantIdClient = new HydrantIdClient(configProvider); + Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); + } + catch (Exception e) + { + Logger.Error($"Error Occured in HydrantIdProxy.Initialize: {e.Message}"); + throw; + } + } + + public override void Ping() + { + } + + public override void ValidateCAConnectionInfo(Dictionary connectionInfo) + { + } + + public override void ValidateProductInfo(EnrollmentProductInfo productInfo, + Dictionary connectionInfo) + { + } + } } \ No newline at end of file diff --git a/HydrantIdProxy/src/HydrantIdProxy/HydrantIdProxy.csproj b/HydrantIdProxy/src/HydrantIdProxy/HydrantIdProxy.csproj index 160e0d8..3d26feb 100644 --- a/HydrantIdProxy/src/HydrantIdProxy/HydrantIdProxy.csproj +++ b/HydrantIdProxy/src/HydrantIdProxy/HydrantIdProxy.csproj @@ -51,8 +51,8 @@ ..\..\packages\Keyfactor.AnyGateway.SDK.21.3.2\lib\net462\CommonCAProxy.dll - - ..\..\packages\CSS.Common.1.6.0\lib\net462\CSS.Common.dll + + ..\..\packages\CSS.Common.1.7.0\lib\net462\CSS.Common.dll ..\..\packages\CSS.PKI.2.13.0\lib\net462\CSS.PKI.dll @@ -60,9 +60,6 @@ ..\..\packages\HawkNet.1.4.4.0\lib\net45\HawkNet.dll - - ..\..\packages\JsonSubTypes.1.8.0\lib\net46\JsonSubTypes.dll - ..\..\packages\Newtonsoft.Json.12.0.3\lib\net45\Newtonsoft.Json.dll diff --git a/HydrantIdProxy/src/HydrantIdProxy/RequestManager.cs b/HydrantIdProxy/src/HydrantIdProxy/RequestManager.cs index 0ee8768..25aff76 100644 --- a/HydrantIdProxy/src/HydrantIdProxy/RequestManager.cs +++ b/HydrantIdProxy/src/HydrantIdProxy/RequestManager.cs @@ -1,262 +1,262 @@ -// Copyright 2023 Keyfactor -// Licensed under the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. You may obtain a -// copy of the License at http://www.apache.org/licenses/LICENSE-2.0. Unless -// required by applicable law or agreed to in writing, software distributed -// under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES -// OR CONDITIONS OF ANY KIND, either express or implied. See the License for -// thespecific language governing permissions and limitations under the -// License. -using System; -using System.Collections.Generic; -using System.IO; -using CAProxy.AnyGateway.Models; -using CSS.Common.Logging; -using CSS.PKI; -using Keyfactor.HydrantId.Client.Models; -using Keyfactor.HydrantId.Client.Models.Enums; -using Keyfactor.HydrantId.Interfaces; -using Org.BouncyCastle.Pkcs; -using Keyfactor.HydrantId.Exceptions; -using Org.BouncyCastle.OpenSsl; - -namespace Keyfactor.HydrantId -{ - public class RequestManager : LoggingClientBase - { - public int GetMapReturnStatus(RevocationStatusEnum hydrantIdStatus) - { - try - { - Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - PKIConstants.Microsoft.RequestDisposition returnStatus; - Logger.Trace($"hydrantIdStatus: {hydrantIdStatus}"); - switch (hydrantIdStatus) - { - case RevocationStatusEnum.Valid: - returnStatus = PKIConstants.Microsoft.RequestDisposition.ISSUED; - break; - case RevocationStatusEnum.Pending: - returnStatus = PKIConstants.Microsoft.RequestDisposition.PENDING; - break; - case RevocationStatusEnum.Revoked: - returnStatus = PKIConstants.Microsoft.RequestDisposition.REVOKED; - break; - default: - returnStatus = PKIConstants.Microsoft.RequestDisposition.UNKNOWN; - break; - } - Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); - return Convert.ToInt32(returnStatus); - } - catch (Exception e) - { - Logger.Error($"Error Occured in RequestManager.GetMapReturnStatus: {e.Message}"); - throw; - } - } - - public RevocationReasons GetMapRevokeReasons(uint keyfactorRevokeReason) - { - - try - { - RevocationReasons returnStatus = RevocationReasons.KeyCompromise; - if (keyfactorRevokeReason == 1 | keyfactorRevokeReason == 3 | keyfactorRevokeReason == 4 | keyfactorRevokeReason == 5) - { - - switch (keyfactorRevokeReason) - { - case 1: - returnStatus = RevocationReasons.KeyCompromise; - break; - case 3: - returnStatus = RevocationReasons.AffiliationChanged; - break; - case 4: - returnStatus = RevocationReasons.Superseded; - break; - case 5: - returnStatus = RevocationReasons.CessationOfOperation; - break; - } - - return returnStatus; - } - - throw new RevokeReasonNotSupportedException("This Revoke Reason is not Supported"); - - } - catch(Exception e) - { - Logger.Error($"Error Occured in RequestManager.GetMapRevokeReasons: {e.Message}"); - throw; - } - } - - public RevokeCertificateReason GetRevokeRequest(RevocationReasons reason) - { - try - { - Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - return new RevokeCertificateReason - { - Reason = reason - }; - } - - catch (Exception e) - { - Logger.Error($"Error Occured in RequestManager.GetRevokeRequest: {e.Message}"); - throw; - } - } - - public CertificatesPayload GetCertificatesListRequest(int offset,int limit) - { - try - { - Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - return new CertificatesPayload - { - Limit = limit, - Offset = offset, - Status = 0, - Expired = true - }; - } - catch (Exception e) - { - Logger.Error($"Error Occured in RequestManager.GetCertificatesListRequest: {e.Message}"); - throw; - } - } - - public CertRequestBody GetEnrollmentRequest(Guid? policyId,EnrollmentProductInfo productInfo, string csr, Dictionary san) - { - try - { - Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - if (san.ContainsKey("dns")) - { - return new CertRequestBody - { - Policy = policyId, - Csr = csr, - DnComponents = GetDnComponentsRequest(csr), - SubjectAltNames = GetSansRequest(san), - Validity = GetValidity(productInfo.ProductParameters["ValidityPeriod"],Convert.ToInt16(productInfo.ProductParameters["ValidityUnits"])) - }; - } - - return new CertRequestBody - { - Policy = policyId, - Csr = csr, - DnComponents = GetDnComponentsRequest(csr), - Validity=GetValidity(productInfo.ProductParameters["ValidityPeriod"], Convert.ToInt16(productInfo.ProductParameters["ValidityUnits"])) - }; - } - catch (Exception e) - { - Logger.Error($"Error Occured in RequestManager.GetEnrollmentRequest: {e.Message}"); - throw; - } - } - - public RenewalRequest GetRenewalRequest(string csr, bool reuseCsr) - { - try - { - Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - return new RenewalRequest - { - Csr = csr, - ReuseCsr = reuseCsr - }; - } - catch (Exception e) - { - Logger.Error($"Error Occured in RequestManager.GetRenewalRequest: {e.Message}"); - throw; - } - } - - private CertRequestBodyValidity GetValidity(string period,int units) - { - try - { - Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - CertRequestBodyValidity validity = new CertRequestBodyValidity(); - switch(period) - { - case "Years": - validity.Years = units; - break; - case "Months": - validity.Months = units; - break; - case "Days": - validity.Days = units; - break; - } - - return validity; - } - catch (Exception e) - { - Logger.Error($"Error Occured in RequestManager.GetValidity: {e.Message}"); - throw; - } - } - - public CertRequestBodySubjectAltNames GetSansRequest(Dictionary sans) - { - try - { - Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - var san = new CertRequestBodySubjectAltNames(); - List dnsNames = new List(); - foreach (var v in sans["dns"]) - { - dnsNames.Add(v); - } - san.Dnsname=dnsNames; - return san; - } - catch (Exception e) - { - Logger.Error($"Error Occured in RequestManager.GetSansRequest: {e.Message}"); - throw; - } - } - - public EnrollmentResult - GetEnrollmentResult( - ICertificate enrollmentResult, CAConnectorCertificate cert) - { - try - { +// Copyright 2023 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. You may obtain a +// copy of the License at http://www.apache.org/licenses/LICENSE-2.0. Unless +// required by applicable law or agreed to in writing, software distributed +// under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES +// OR CONDITIONS OF ANY KIND, either express or implied. See the License for +// thespecific language governing permissions and limitations under the +// License. +using System; +using System.Collections.Generic; +using System.IO; +using CAProxy.AnyGateway.Models; +using CSS.Common.Logging; +using CSS.PKI; +using Keyfactor.HydrantId.Client.Models; +using Keyfactor.HydrantId.Client.Models.Enums; +using Keyfactor.HydrantId.Interfaces; +using Keyfactor.HydrantId.Exceptions; +using Org.BouncyCastle.OpenSsl; +using Org.BouncyCastle.Pkcs; + +namespace Keyfactor.HydrantId +{ + public class RequestManager : LoggingClientBase + { + public int GetMapReturnStatus(RevocationStatusEnum hydrantIdStatus) + { + try + { + Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); + PKIConstants.Microsoft.RequestDisposition returnStatus; + Logger.Trace($"hydrantIdStatus: {hydrantIdStatus}"); + switch (hydrantIdStatus) + { + case RevocationStatusEnum.Valid: + returnStatus = PKIConstants.Microsoft.RequestDisposition.ISSUED; + break; + case RevocationStatusEnum.Pending: + returnStatus = PKIConstants.Microsoft.RequestDisposition.PENDING; + break; + case RevocationStatusEnum.Revoked: + returnStatus = PKIConstants.Microsoft.RequestDisposition.REVOKED; + break; + default: + returnStatus = PKIConstants.Microsoft.RequestDisposition.UNKNOWN; + break; + } + Logger.MethodExit(ILogExtensions.MethodLogLevel.Debug); + return Convert.ToInt32(returnStatus); + } + catch (Exception e) + { + Logger.Error($"Error Occured in RequestManager.GetMapReturnStatus: {e.Message}"); + throw; + } + } + + public RevocationReasons GetMapRevokeReasons(uint keyfactorRevokeReason) + { + + try + { + RevocationReasons returnStatus = RevocationReasons.KeyCompromise; + if (keyfactorRevokeReason == 1 | keyfactorRevokeReason == 3 | keyfactorRevokeReason == 4 | keyfactorRevokeReason == 5) + { + + switch (keyfactorRevokeReason) + { + case 1: + returnStatus = RevocationReasons.KeyCompromise; + break; + case 3: + returnStatus = RevocationReasons.AffiliationChanged; + break; + case 4: + returnStatus = RevocationReasons.Superseded; + break; + case 5: + returnStatus = RevocationReasons.CessationOfOperation; + break; + } + + return returnStatus; + } + + throw new RevokeReasonNotSupportedException("This Revoke Reason is not Supported"); + + } + catch(Exception e) + { + Logger.Error($"Error Occured in RequestManager.GetMapRevokeReasons: {e.Message}"); + throw; + } + } + + public RevokeCertificateReason GetRevokeRequest(RevocationReasons reason) + { + try + { + Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); + return new RevokeCertificateReason + { + Reason = reason + }; + } + + catch (Exception e) + { + Logger.Error($"Error Occured in RequestManager.GetRevokeRequest: {e.Message}"); + throw; + } + } + + public CertificatesPayload GetCertificatesListRequest(int offset,int limit) + { + try + { + Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); + return new CertificatesPayload + { + Limit = limit, + Offset = offset, + Status = 0, + Expired = true + }; + } + catch (Exception e) + { + Logger.Error($"Error Occured in RequestManager.GetCertificatesListRequest: {e.Message}"); + throw; + } + } + + public CertRequestBody GetEnrollmentRequest(Guid? policyId,EnrollmentProductInfo productInfo, string csr, Dictionary san) + { + try + { + Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); + if (san.ContainsKey("dns")) + { + return new CertRequestBody + { + Policy = policyId, + Csr = csr, + DnComponents = GetDnComponentsRequest(csr), + SubjectAltNames = GetSansRequest(san), + Validity = GetValidity(productInfo.ProductParameters["ValidityPeriod"],Convert.ToInt16(productInfo.ProductParameters["ValidityUnits"])) + }; + } + + return new CertRequestBody + { + Policy = policyId, + Csr = csr, + DnComponents = GetDnComponentsRequest(csr), + Validity=GetValidity(productInfo.ProductParameters["ValidityPeriod"], Convert.ToInt16(productInfo.ProductParameters["ValidityUnits"])) + }; + } + catch (Exception e) + { + Logger.Error($"Error Occured in RequestManager.GetEnrollmentRequest: {e.Message}"); + throw; + } + } + + public RenewalRequest GetRenewalRequest(string csr, bool reuseCsr) + { + try + { + Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); + return new RenewalRequest + { + Csr = csr, + ReuseCsr = reuseCsr + }; + } + catch (Exception e) + { + Logger.Error($"Error Occured in RequestManager.GetRenewalRequest: {e.Message}"); + throw; + } + } + + private CertRequestBodyValidity GetValidity(string period,int units) + { + try + { Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - if (enrollmentResult==null) - { - return new EnrollmentResult - { - Status = 30, //failure - StatusMessage = $"Enrollment Failed with could not get the certificate from the request tracking id" - }; - } - - if (!enrollmentResult.Id.HasValue) - { - return new EnrollmentResult - { - Status = 30, //failure - StatusMessage = $"Enrollment Failed with could not get the certificate from the request tracking id" - }; + CertRequestBodyValidity validity = new CertRequestBodyValidity(); + switch(period) + { + case "Years": + validity.Years = units; + break; + case "Months": + validity.Months = units; + break; + case "Days": + validity.Days = units; + break; + } + + return validity; + } + catch (Exception e) + { + Logger.Error($"Error Occured in RequestManager.GetValidity: {e.Message}"); + throw; + } + } + + public CertRequestBodySubjectAltNames GetSansRequest(Dictionary sans) + { + try + { + Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); + var san = new CertRequestBodySubjectAltNames(); + List dnsNames = new List(); + foreach (var v in sans["dns"]) + { + dnsNames.Add(v); + } + san.Dnsname=dnsNames; + return san; + } + catch (Exception e) + { + Logger.Error($"Error Occured in RequestManager.GetSansRequest: {e.Message}"); + throw; + } + } + + public EnrollmentResult + GetEnrollmentResult( + ICertificate enrollmentResult, CAConnectorCertificate cert) + { + try + { + Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); + if (enrollmentResult==null) + { + return new EnrollmentResult + { + Status = 30, //failure + StatusMessage = $"Enrollment Failed with could not get the certificate from the request tracking id" + }; + } + + if (!enrollmentResult.Id.HasValue) + { + return new EnrollmentResult + { + Status = 30, //failure + StatusMessage = $"Enrollment Failed with could not get the certificate from the request tracking id" + }; } - if (enrollmentResult.Id.HasValue) + if (enrollmentResult.Id.HasValue) { return new EnrollmentResult { @@ -264,90 +264,90 @@ public EnrollmentResult CARequestID = enrollmentResult.Id.ToString(), Certificate = cert.Certificate, StatusMessage = $"Order Successfully Created With Product {cert.ProductID}" - }; - } - - return null; - } - catch (Exception e) - { - Logger.Error($"Error Occured in RequestManager.GetEnrollmentResult: {e.Message}"); - throw; - } - } - - public static Func Pemify = ss => - ss.Length <= 64 ? ss : ss.Substring(0, 64) + "\n" + Pemify(ss.Substring(64)); - - public CertRequestBodyDnComponents GetDnComponentsRequest(string csr) - { - try - { - Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); - var c = String.Empty; - var o = String.Empty; - var cn = string.Empty; - var l = string.Empty; - var st = string.Empty; - var ou = string.Empty; - - Logger.Trace($"CSR: {csr}"); - var cert = "-----BEGIN CERTIFICATE REQUEST-----\r\n"; - cert = cert + Pemify(csr); - cert = cert + "\r\n-----END CERTIFICATE REQUEST-----"; - Logger.Trace($"cert: {cert}"); - - var reader = new PemReader(new StringReader(cert)); - if (reader.ReadObject() is Pkcs10CertificationRequest req) - { - var info = req.GetCertificationRequestInfo(); - Logger.Trace($"subject: {info.Subject}"); - - var array1 = info.Subject.ToString().Split(','); - foreach (var x in array1) - { - var itemArray = x.Split('='); - - switch (itemArray[0].ToUpper()) - { - case "C": - c = itemArray[1]; - break; - case "O": - o = itemArray[1]; - break; - case "CN": - cn = itemArray[1]; - break; - case "OU": - ou = itemArray[1]; - break; - case "ST": - st = itemArray[1]; - break; - case "L": - l = itemArray[1]; - break; - } - } - } - - return new CertRequestBodyDnComponents - { - Cn = cn, - Ou = new List{ou}, - O=o, - L=l, - St = st, - C=c - }; - } - catch (Exception e) - { - Logger.Error($"Error Occured in RequestManager.GetDnComponentsRequest: {e.Message}"); - throw; - } - } - } -} - + }; + } + + return null; + } + catch (Exception e) + { + Logger.Error($"Error Occured in RequestManager.GetEnrollmentResult: {e.Message}"); + throw; + } + } + + public static Func Pemify = ss => + ss.Length <= 64 ? ss : ss.Substring(0, 64) + "\n" + Pemify(ss.Substring(64)); + + public CertRequestBodyDnComponents GetDnComponentsRequest(string csr) + { + try + { + Logger.MethodEntry(ILogExtensions.MethodLogLevel.Debug); + var c = String.Empty; + var o = String.Empty; + var cn = string.Empty; + var l = string.Empty; + var st = string.Empty; + var ou = string.Empty; + + Logger.Trace($"CSR: {csr}"); + var cert = "-----BEGIN CERTIFICATE REQUEST-----\r\n"; + cert = cert + Pemify(csr); + cert = cert + "\r\n-----END CERTIFICATE REQUEST-----"; + Logger.Trace($"cert: {cert}"); + + var reader = new PemReader(new StringReader(cert)); + if (reader.ReadObject() is Pkcs10CertificationRequest req) + { + var info = req.GetCertificationRequestInfo(); + Logger.Trace($"subject: {info.Subject}"); + + var array1 = info.Subject.ToString().Split(','); + foreach (var x in array1) + { + var itemArray = x.Split('='); + + switch (itemArray[0].ToUpper()) + { + case "C": + c = itemArray[1]; + break; + case "O": + o = itemArray[1]; + break; + case "CN": + cn = itemArray[1]; + break; + case "OU": + ou = itemArray[1]; + break; + case "ST": + st = itemArray[1]; + break; + case "L": + l = itemArray[1]; + break; + } + } + } + + return new CertRequestBodyDnComponents + { + Cn = cn, + Ou = new List{ou}, + O=o, + L=l, + St = st, + C=c + }; + } + catch (Exception e) + { + Logger.Error($"Error Occured in RequestManager.GetDnComponentsRequest: {e.Message}"); + throw; + } + } + } +} + diff --git a/HydrantIdProxy/src/HydrantIdProxy/app.config b/HydrantIdProxy/src/HydrantIdProxy/app.config index 1febf8c..e7bfe44 100644 --- a/HydrantIdProxy/src/HydrantIdProxy/app.config +++ b/HydrantIdProxy/src/HydrantIdProxy/app.config @@ -1,19 +1,19 @@ - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/HydrantIdProxy/src/HydrantIdProxy/packages.config b/HydrantIdProxy/src/HydrantIdProxy/packages.config index a517475..398501b 100644 --- a/HydrantIdProxy/src/HydrantIdProxy/packages.config +++ b/HydrantIdProxy/src/HydrantIdProxy/packages.config @@ -1,17 +1,16 @@ - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/README.md b/README.md index 4fdd9b8..39c4d00 100644 --- a/README.md +++ b/README.md @@ -10,8 +10,6 @@ HydrantId operates a PKI as a service platform for customers around the globe. This repository contains an AnyGateway CA Connector, which is a plugin to the Keyfactor AnyGateway. AnyGateway CA Connectors allow Keyfactor Command to be used for inventory, issuance, and revocation of certificates from a third-party certificate authority. - - ## Support for HydrantId HydrantId is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. @@ -19,7 +17,6 @@ HydrantId is supported by Keyfactor for Keyfactor customers. If you have a suppo ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. - --- @@ -171,6 +168,33 @@ the CA. Without the imported configuration, the service will fail to start. ### Template Installation +The Template section will map the CA's products to an AD template. +* ```ProductID``` +This is the ID of the HydrantId product to map to the specified template. If you don't know the available product IDs in your Hydrant account, put a placeholder value here and run the Set-KeyfactorGatewayConfig cmdlet according to the AnyGateway documentation. The list of available product IDs will be returned. +* ```ValidityPeriod``` +REQUIRED: The period to use when requesting certs. It could be, Days, Months, Years depending on the Template. +* ```ValidityUnits``` +REQUIRED: The numeric value corresponding to the ValidityPeriod. For years 1 would be 1 year, for days 7 would be 7 days. + + ```json + "Templates": { + "AutoEnrollment - RSA": { + "ProductID": "AutoEnrollment - RSA", + "Parameters": { + "ValidityPeriod": "Years", + "ValidityUnits": 1 + } + }, + "AutoEnrollment - RSA - 7 Day": { + "ProductID": "AutoEnrollment - RSA - 7 Day", + "Parameters": { + "ValidityPeriod": "Days", + "ValidityUnits": 7 + } + } + } + ``` +======= 1) Command Server - Copy and Unzip the Template Setup Files located [Here](https://github.com/Keyfactor/hydrantid-cagateway/raw/main/TemplateSetup.zip) 2) Command Server - Change the Security Settings in the CaTemplateUserSecurity.csv file to the appropriate settings for Test or Production 3) Command Server - Run the CreateTemplate.ps1 file and choose option 1 to create the templates in active directory. diff --git a/readme_source.md b/readme_source.md index 4a8a1fb..ec64c4c 100644 --- a/readme_source.md +++ b/readme_source.md @@ -137,6 +137,33 @@ the CA. Without the imported configuration, the service will fail to start. ### Template Installation +The Template section will map the CA's products to an AD template. +* ```ProductID``` +This is the ID of the HydrantId product to map to the specified template. If you don't know the available product IDs in your Hydrant account, put a placeholder value here and run the Set-KeyfactorGatewayConfig cmdlet according to the AnyGateway documentation. The list of available product IDs will be returned. +* ```ValidityPeriod``` +REQUIRED: The period to use when requesting certs. It could be, Days, Months, Years depending on the Template. +* ```ValidityUnits``` +REQUIRED: The numeric value corresponding to the ValidityPeriod. For years 1 would be 1 year, for days 7 would be 7 days. + + ```json + "Templates": { + "AutoEnrollment - RSA": { + "ProductID": "AutoEnrollment - RSA", + "Parameters": { + "ValidityPeriod": "Years", + "ValidityUnits": 1 + } + }, + "AutoEnrollment - RSA - 7 Day": { + "ProductID": "AutoEnrollment - RSA - 7 Day", + "Parameters": { + "ValidityPeriod": "Days", + "ValidityUnits": 7 + } + } + } + ``` +======= 1) Command Server - Copy and Unzip the Template Setup Files located [Here](https://github.com/Keyfactor/hydrantid-cagateway/raw/main/TemplateSetup.zip) 2) Command Server - Change the Security Settings in the CaTemplateUserSecurity.csv file to the appropriate settings for Test or Production 3) Command Server - Run the CreateTemplate.ps1 file and choose option 1 to create the templates in active directory.